Leadership

Bypass a $200 biometric lock with a paperclip

Three noted "lock hackers" have discovered that a $200 biometric lock is powerless before the might of the simple paperclip.

Three noted "lock hackers" have discovered that a $200 biometric lock is powerless before the might of the simple paperclip.


Wired reports that the "gross insecurity" of high-tech locks has been exposed. Several different expensive, modern locks with advanced design concepts proved ineffective against the efforts of Marc Weber Tobias, Toby Bluzmanis, and Matt Fiddler, who have been exposing the poor security design of physical locks at DefCon for years.

The most egregious example appears to be the $200 Biolock Model 333. It provides a fingerprint reader as its main selling point, but also features a remote for locking and unlocking and a physical key in case the fingerprint reader fails to unlock the door for its user. The whole biometric selling point was trivially bypassed, however, by simply inserting a straightened paper clip into the keyhole. The sort of lockpicking practiced by locksmiths (and private investigators in the world of TV shows and movies) is not required; the whole process simply involves pushing the paperclip into the keyhole and turning the handle.

The Wired article offers a video of the technique, demonstrated by the security researchers presenting their findings at this year's DefCon. They describe the lock's vulnerability as a "perfect example of insecurity engineering".

Another example involves a Kwikset smartkey deadbolt system that can be trivially cracked with a screwdriver. Kwikset has stated that the lock has "passed the most stringent lock-picking standard." Marc Weber Tobias pointed out that adherence to standards is not enough when it comes to security. The very nature of many problems we face is defined by the unexpected and unpredictable. If we do not expect it and cannot predict it, we certainly cannot standardize it.

A small safe intended for residential use, a battery operated electronic lock operated by an RFID key, and an electro-mechanical lock that keeps an audit log -- from AMSEC, KABA, and iLock respectively -- were also found to suffer weaknesses in their security functionality.

In addition to the Biolock video, there are videos within the online Wired article showing demonstrations of weaknesses of the other locks and safe as well. All told, the article itself gives a quick and easy glimpse into the world of poor physical security design, and the videos provide a concrete demonstration of the techniques involved. More than a mere warning to avoid poorly designed security devices, these examples should serve as an object lesson in the dangers of uninformed, improperly tested, and inexpert security design.

Wired's article is definitely worth the price of admission.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

48 comments
Jellimonsta
Jellimonsta

Wow. Glad I am not one to buy gimmick devices, which is all this biometric lock really is. I have better things to blow $200 on. :p

SwissJon
SwissJon

Anyone that's watched Mission Impossible will tell you that. In the end, if the theives want in, then they'll get in.. I subscribe to the Car alarm principle.. A car alarm isn't going to stop a thief from stealing YOUR car, if that's what they want to steal. But, if a theif wants to steal A car, and there's one down the road without an alarm.. Guess which one they'll steal.. In the end, you can Spend billions of dollars on security and miss a glaringly obvious error because you've focussed too much on one aspect and completely neglected the others. Biometric locks are great. But the physical lock needs to be at least as good as non-biometric locks. Why reinvent the wheel??

sinbad66
sinbad66

I read a story 20 years ago about a guy who was evaluating offsite storage companies for his backup tapes. Standing outside the room in one place, looking at the tapes and shelves and robotic arms he was told that he was looking through "30 minute bulletproof glass". What did that mean? Well, you could shoot a machine gun at it for 30 minutes before the bullets would break through. So he knocked on the wall. It was made of wallboard, 16 inch studs; you could put your fist through it in a pinch. He didn't pick that company to store his backups.

Neon Samurai
Neon Samurai

I saw that one pop up on the weekend.. yet another company substituting book-learning where they should have hired a few hackers for QA testing.

Sterling chip Camden
Sterling chip Camden

I found this one particularly humorous. Our high-tech fingerprint recognition is foolproof, so long as the perp does not possess a paper clip.

drowssapma
drowssapma

Locks only keep honest people out.

Dave51
Dave51

The way the car thieves get into your car these days is to break in to your house and steel the keys. ;,)

Glenn from Iowa
Glenn from Iowa

I drive a rusted 1992 Ford Explorer with the muffler hanging about 1 inch off the ground, but to my knowledge, this vehicle has never had an alarm installed. Also, to my knowledge, it has never been stolen, despite my keeping the doors unlocked and the key in the ignition for the past 6 months. Of course, I'm sure the point is that, given the choice of two cars worth stealing, a thief would choose the one without an alarm. Oh yes, that's the part about "if the thieves want in...." :) I'm obviously no expert on new cars, but doesn't virtually every new car nowadays come with a car alarm? But yes, I suppose the point is that, if Mercedes or Lexus started selling a model that did not come standard with an alarm, that model would be on the most-stolen list the next year.

mr_bandit
mr_bandit

I was in the waiting room of an ER in a rougher part of LA, waiting to be let into the "take your name and insurance info" part. They were separated by bulletproof glass. I tapped on the wall. When they let me in and I was seated, I casually asked the person if they had noticed the glass was bulletproof but the walls were not. They allowed as how they knew, but hoped the gang-bangers were not smart enough to notice. Score so far: gang-bangers 0. read Feynman's books with an eye towards his experiences cracking safes.

Digicruiser
Digicruiser

One major outlet of electronic parts etc, had to sell of cheaply biometric device that attached to a computer. You could confuse the sensor simply by moving your finger fast over it and that was around the $100 mark (Aussie). Apart from proper industrial security devices, anything cheap will most likely fail in some way. What was discussed locally ages ago, is the ATM biometric scanners that may come out here. The new crime that will pop up over the world will be chopping your finger/hand off just to use it at a machine (if only biometric is used) to gain money etc or gain entrance. LOL - Eye scanner - rip their eyeballs out, machine can't tell if it's living...

AnsuGisalas
AnsuGisalas

for the instance that the fingerprint scanner doesn't get a reading should be a good tell-tale. If it's a fingerprint reader that can open a lock that can also be opened by a key then we're talking about an inherently unsound concept: It's a security shunt either way. If you don't have what it takes to spoof the scanner, then you can try and crack the lock. If you don't have what it takes to crack the lock, try spoofing the scanner. It's so inane to begin with that the only way to make it worse would be for the lock to be ... exactly as easy to crack as the least secure kind of kids' piggy banks. Which it is, and it's hilarious. :D Late edit: If you want to add to this, or to have a finger-print cop-out in case you forget/lose your keys a lot: Simply put up a strongbox next to the door in question, and set up a fingerprint reader to unlock the box. Inside the box is the key to the door. That achieves the same as the system mentioned (although it adds the further shunt of breaking the box, but at least you avoid the paper clip attack :p).

Neon Samurai
Neon Samurai

paper clips, pens, electric tooth brushes.. and my favorite.. toilet paper rolls.. all handy tools for opening locks. ;D

Ed.Pilling
Ed.Pilling

Locks do not keep thieves out but keep honest men honest. As a point someone else made was they are there to slow people done. If it takes 20 or so minutes to get past a lock then that will deter 99% of the theives out there. Too bad when this was designed they over looked the paper clip in the hole trick.

ijm51
ijm51

The point of a lock is often not so much to keep the honest people out but to know when the dishonest people have been in.

sboverie
sboverie

Locks are supposed discourage break ins by slowing the break in processes. The idea is that crooks are inherently lazy and will look for easy access to steal goods over having to take extra steps to break in.

AnsuGisalas
AnsuGisalas

This will be averted by the economic crisis, since soon most people will be living in their cars!

Ocie3
Ocie3

drive a high-end Mercedes Benz away from its parking spot outside a house with the alarm sounding loud and clear. It's amazing how fast the Mercedes accelerated away from the curb. I happened to be driving in the opposite direction on that block, on my way home shortly after midnight.

AnsuGisalas
AnsuGisalas

People here get old cars stolen a lot. It's a disposable vehicle, good for crime, getaways and other sordidnesses. But maybe your car has a manual transmission, and the would-be thieves wouldn't know what that even is?

JCitizen
JCitizen

should tell the difference between a live eye and a dead one; the tissue degrades too rapidly. With no blood pressure the iris looses its 3D mapping, and the retina just doesn't look the same at all.

tsears
tsears

We have a $350 locking mailbox because we are rural and have had some mail theft issues. Yesterday, someone broke into our $350 locking mailbox in broad daylight, by wrapping a tennis ball with electrical tape, slitting a hole in it, and packing the interior to explode. Drop the lit ball into the mail slot and instant ram while the mail is relatively unhurt and the sound is relatively muffled. Popped the door right open without taking a tool to the front.

Ocie3
Ocie3

but stiff "cards" or sheets work well against doorknob locks, especially.

magic8ball
magic8ball

They make great makeshift shims.

Rolland St-Onge
Rolland St-Onge

I get the paper clips, pens, electric tooth brushes, even the nail file from a nail clipper (my favorite!) but I don't get the toilet paper rolls!!!

apotheon
apotheon

Bananas are critical tools for picking locks, too.

Neon Samurai
Neon Samurai

When it's easy to pick a lock leaving no trace that it was opened and then closed, it's not really indicating that the dishonest people have been in. With lock bumping and design flaws like shown here, the bolt-cutter universal key is really a last resort. (thank goodness the locksport folks have a high degree of ethics like the majority of other Hacker sub-groups)

boomchuck1
boomchuck1

True point. While in the Navy I came to understand that our locking cabinets never stated that they were impenetrable, but only that they were rated at a certain number of hours estimated before someone could break into them. These were 4 digit combo cabinets with 80 numbers on the dial, so it wasn't going to be as easy as your 5 key punch code door lock that secures our office.

Glenn from Iowa
Glenn from Iowa

You know, that's funny, my wife also mentioned the manual transmission (which it has) as a theft deterrent. We have had some friends get an old vehicle stolen, taken for a joyride, and left a short distance away. They live in a bigger city, but still, I'm aware it can happen. And I do actually lock it occasionally, when I have something irreplaceable that I don't want to take with me (not usually anything valuable) or when I have to park in certain parts of town. But most days, parked in my driveway or at work, I don't worry about it. And yes, you're right, it is luck.

tsears
tsears

I was on a military base. Wife had a nice vehicle but I had a beater because I did not need it very often, holes in the floorboard, etc. Never thought there would be theft of it, especially from a secured facility. But they still stole the battery...one thing they thought might still be worthwhile. You never know when a thief will find value in what you have.

JCitizen
JCitizen

of how to break into your car with a tennis ball; and all they had was a small oblong hole into the core of the ball. By putting the hole over the keyhole on a car key handle. And forcibly squishing it - giving it a flat handed slap directly toward the door, the air pressure simply popped the lock open. you could see the lock button in the car pop up indicating it was unlocked. Pretty amazing! Seems like one could use compressed air in any number of gizmos to do the same thing.

Ocie3
Ocie3

Probably not, since the description was a tennis ball with a slit or slot cut into it, then "packed" with explosive. Gunpowder probably is the most accessible to the perpetrator, and relatively cheap. The principal aerosol propellant nowadays is butane, which is also used for fuel. It has a higher ignition point than propane, which is commonly used to fuel barbeque grills and such. Like methane, both are odorless until they add the compound that smells like a skunk. [b]Edit:[/b] Please note that I am not recommending butane or any other gas as an explosive.

Neon Samurai
Neon Samurai

Granted.. we're way into questionable discussion now and can probably move on to other threads. :D

apotheon
apotheon

Ventilate the box. One possibility would involve raising the floor of the mailbox, with the walls wrapping to provide lips below the floor around the edges. Maintain separation between the lips and the floor, of course, so air can pass through. "Seal" it off with mesh strong enough to resist easy cutting, so air can pass through but your mail can't. An explosive force weak enough that it doesn't destroy your mail should blow through the mesh, draining off the pressure generated so that the door of the mailbox will be fine.

apotheon
apotheon

If you have a string tied off to the slit, you can push it through then hold it near the top. Attach a tube to the spray tip (like the tubes that come with WD-40 cans), stick that through the slit, and fill. The problem is finding an aerosol that would detonate (or at least burn sufficiently quickly) to provide the kind of sudden pressure needed to blow the door open.

Neon Samurai
Neon Samurai

I forget the name of the movie but I just rewatched it about two weeks ago. One of my favorite scenes, two guys are breaking into a place. The one guys day job is installing home alarms. first guy "so, we have 30 seconds before it goes off once the door opens?" second "yup" - door opens and second guy disapears inside then comes back out first guy "that was ten seconds" second "that's why I tell people to get a dog"

Neon Samurai
Neon Samurai

I'm thinking arisol maybe?.. the gass squishes hopefully without too much escaping the blast chamber. An electric ignition would fit the profile. (wow, too many spud gun engineers in my distant past to think of that as fast as I did..)

AnsuGisalas
AnsuGisalas

But yes, the ID theft angle explains the effort involved. Hm, what would help... blast-proof mailbox, bolt-type lock, heavy concrete stand... maybe a siren - blast-resistant of course. The lock could be external to the box, an inexpensive steel "chastity belt" that holds shut the flap. Simple should be best.

Ocie3
Ocie3

is one of the primary resources for ID theft, especially when the document is an account statement or "bill". I suppose that it is profitable enough for someone to do it, because it is more common than most of us realize, especially in rural areas or in areas of towns where the mail is delivered curbside ([i]i.e.,[/i] along the street or road, not to the house itself). As to your question, I don't know what the Boy Scouts are being taught now. Maybe it depends upon the teacher. But you could probably extract enough gunpowder from a few "cherry bombs" (fireworks) to make a device such as the one that [b]tsears[/b] described. An electric detonator is perhaps a little more advanced than just lighting a fuse, though.

AnsuGisalas
AnsuGisalas

Or does it smack of skilled effort? Certainly sounds like a lot of trouble to go to for random mail. I'm pretty sure that problem can be circumvented though, depending on the installation. A fan of course can shunt off force, and a strong and slightly stretching wire can stop the lid at a degree of openness so small that it'd be difficult to get anything out in a hurry. Have to figure out a clever way to make the wire uncatch at lawful access of course.

Ocie3
Ocie3

for the explosive? It seems odd to me that a tennis ball (packed with anything solid) would collapse enough to fit through the mail slot. Or that would be a rather wide mail slot, IMO. But yeah, if it made into the box and detonated before it moved too far from the door, then that would do it. Which suggests an electrical detonator with a wire(s) short enough to stop the ball, yet enough remains outside for the perpetrator to stand clear.

ICan2
ICan2

And scraping ice off the windshield in the winter.

Neon Samurai
Neon Samurai

Broke my heart a little when he retired (unless he's since un-retired). But, you can't fault Johnny Long for leaving pentesting to focus on humanitarian interests. It remains a video worth a re-watch every six months or so though until someone managed to do a better presentation.

JCitizen
JCitizen

Well worth the time! Every IT person that gives a flip about security should watch this video! Many of us forget about physical security, and how covert surveillance can tip the corporate espionage criminal to the weaknesses in one's armor. Very entertaining as well!! This guy is an excellent speaker!

Neon Samurai
Neon Samurai

And anyone else in that category of no-tech hacking.

Editor's Picks